Filmmakers accuse China of cyberattacks

By Ellen Nakashima, The Washington Post

Friday, March 29, 2013

The trouble began even before the American filmmakers set foot in the Tibetan region of China.

A member of their crew in India noticed that her laptop screen would flash occasionally -- an unseen hand taking a screen shot of her computer. Her cursor would move around unbidden on her screen. Sometimes her laptop abruptly logged her off.

Once the filmmakers got to the Tibetan region, their laptop was hacked, its operating system wiped out and a related website in Los Angeles deluged with so much traffic that it crashed.

The cyberattacks on the team led by filmmakers Christian Johnston and Darren Mann started nearly five years ago and continued for so long that they delayed completion of the documentary about Tibet, "State of Control."

The filmmakers are convinced that the Chinese government is behind the attacks, but the evidence is circumstantial. The Chinese government has a history of hacking into the computers of human rights activists. Some of the intrusions have been traced to computers in China. And Beijing routinely tries to quash dissent in Tibet and keep the grievances of the region's ethnic minority from reaching the outside world.

As attention focuses on Chinese theft of business secrets, experts warn that another area deserving scrutiny is the Chinese authorities' use of cyber-tactics to suppress free speech. Chinese cyberspies have been accused of hacking into the computers of Tibetan activists and human rights groups, as well as major U.S. financial institutions, law firms and news organizations, including The Washington Post.

"The Chinese military is involved in hacking for intimidation, absolutely," said Greg Walton, an independent cybersecurity researcher in India who has documented surveillance of dissidents' networks by the Chinese. "There's an accepted body of evidence to show that the People's Liberation Army are engaged in this activity."

The experience of the U.S. filmmakers and their crew does not constitute the kind of large-scale cyberattack that prompts headlines or congressional hearings. But it does illustrate the persistence of cyber-harassment.

Johnston, 39, said he was troubled by the disruption of the film. "The disturbing part," he said in an interview, "is watching China's impunity to monitor and be intrusive, not only with our own little film project, but with human rights activists in America all the way up to major Western media."

The Chinese government routinely denies that it hacks into computers. It says it is one of the main victims of cyberattacks, including from the United States. Accusations that China condones hacking, a Defense Ministry official told The Post, are "neither professional nor in accordance with the facts."

The cyber-harassment of the film crew began in 2008. Spontaneous protests across the Tibetan region led to a crackdown by the Chinese government and a media blackout in the run-up to the Beijing Olympics that summer.

Mann and Johnston flew to Dharmsala, India, and Kathmandu, Nepal, to talk with the Tibetan communities in exile there. In India, their production coordinator, Claire Barnhoorn, noticed that she would be abruptly signed out of her Gmail account, sometimes while she was in the middle of writing an e-mail. Then her laptop screen would start flashing.

"People were in control of my computer," said Barnhoorn, who was helping arrange interviews. "It was just crazy. Before I met Darren and Christian, I never had any of these issues."

Barnhoorn said that her cellphone made clicking sounds when she was on a call and that she could hear Chinese voices in the background. The harassment continued after she returned to Amsterdam in fall 2008.

Mann and Johnston are experienced filmmakers who have worked in conflict zones such as Afghanistan and Rwanda. They planned to visit the Tibetan region of China, where people worship the exiled Dalai Lama, whom the Beijing government views as a threat.

The government has tried to keep foreign journalists out of the region, fearing that news of self-immolations and protests there could spread to other parts of the country. So the filmmakers knew they had to take care. They erased contacts from their cellphones before leaving for the region; Johnston carried only a stripped-down laptop.

Soon after arriving, Mann, 45, discovered that his business website had crashed under a barrage of traffic. A few days later, in a hotel room in Rebkong, an autonomous Tibetan prefecture in China, Johnston opened his laptop and found the bluetooth wireless function turned on, his computer "shared" with another one and the desktop wiped clean. Communications with the crew in Los Angeles and Dharmsala also were lost.

About 10 days into the trip, the level of frustration peaked. The pair had been trailed everywhere, videotaped by security personnel. "As of two hours ago, my website and my e-mail was completely wiped out and doesn't exist," Mann says in the still-unreleased documentary after being turned back at a checkpoint.

The tactics continued even after their return to the United States. A producer said his website had suffered a denial-of-service attack that crashed the server. He saw what had happened to other people and, spooked by it, quit the job.

In January 2010, one of the movie's subjects, a Tibetan American activist named Tenzin Seldon, learned that she had become a victim of Chinese cyberspies. Seldon, then a student at Stanford University, was contacted by a Google security official who told her that hackers in China had broken into her Gmail account. That month, Google announced that its systems had been hacked and the source code stolen and that Gmail accounts of human rights activists had been breached.

"I always operated under the assumption that I was being surveilled," said Seldon, 23, now a Rhodes scholar in England who has family members and friends in Tibet. "I am always in fear that I may be endangering them if I communicate with them via e-mail or any type of communication. That's a constant struggle."

The incidents piled up. A film editor in Los Angeles received a Google alert that her e-mail account had been "recently accessed from China." A producer in Denver noticed project files missing from her laptop. As she sought to back up the remaining files on her hard drive, her laptop froze and failed to reboot. A technician analyzed router logs from her wireless network and found that many of the Internet protocol addresses her laptop was communicating with were in China.

"There's no reason for her machine to talk to China," said Ralph Echemendia, a cybersecurity expert who helps movie studios.

A few weeks ago, Johnston checked his e-mail archive and found that a series of e-mail communications with his crew from July through September 2008 had disappeared.

The persistent and invasive attacks on the crew amounted to "a pretty disturbing psychological campaign," said Dmitri Alperovitch, chief technology officer at CrowdStrike, a security firm that has examined the group's computers.

The setbacks delayed the documentary, but Mann and Johnston say they are determined to finish and release the film